1 Answer
1

Yes, P-256 generates 256 bit private keys (give or take a single bit).

The confusion here is that this key is 256 bit effective (giving ~128 bit security) even if it starts with zero bits. So the private key is 256 bit even if the representation as a large integer can be smaller than the requested size. This simply means that the full key space is being used. So there is a relatively big chance (about 1/256) that the big endian encoding of the integer is one byte smaller. Most libraries however require an integer to octet string primitive to be used (I2OS or I2OSP). This represents the private key in a static number of bits, e.g. 256 for the above.

The same is true for RSA by the way. Always expect numbers to start with a random number of zero bits, unless this is explicitly not possible. And be warned against signed/unsigned representations, of course.